Extreme Networks VSAs
VSA Definitions for Web-Based, MAC-Based, and 802.1X Network Login contains the Vendor Specific Attribute (VSA) definitions that a RADIUS server can send to an Extreme switch after successful authentication.
These attributes must be configured on the RADIUS server along with the Extreme Networks Vendor ID, which is 1916.
VSA | Attribute Type | Format | Sent-in | Description |
---|---|---|---|---|
Extreme-CLI-Authorization | 201 | Integer | Access-Accept | Specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch. |
Extreme-Netlogin-VLAN-Name | 203 | String | Access-Accept | Name of destination VLAN after successful authentication (must already exist on switch). |
Extreme-Netlogin-URL | 204 | String | Access-Accept | Destination web page after successful authentication. |
Extreme-Netlogin-URL-Desc | 205 | String | Access-Accept | Text description of network login URL attribute. |
Extreme-Netlogin-Only | 206 | Integer | Access-Accept | Indication of whether the user can authenticate using other means, such as telnet, console, SSH, or Vista. A value of “1” (enabled) indicates that the user can only authenticate via network login. A value of “0” (disabled) indicates that the user can also authenticate via other methods. |
Extreme-User-Location | 208 | String | ||
Extreme-Netlogin-VLAN-ID | 209 | Integer | Access-Accept | ID of destination VLAN after successful authentication (except for dynamic VLANs, must already exist on switch). |
Extreme-Netlogin-Extended-VLAN | 211 | String | Access-Accept | Name or ID of the destination
VLAN after successful authentication (must already exist on
switch). Note: When using this attribute,
specify whether the port should be moved tagged or untagged to
the VLAN. See the guidelines listed in the section VSA 211: Extreme-Netlogin-Extended-Vlan for more
information.
|
Extreme-Security-Profile | 212 | String | Access-Accept | Specifies a universal port profile to execute on the switch. For more information, see Universal Port. |
EXTREME_VM_NAME | 213 | String | Access-Accept | Specifies the name of the VM that is being authenticated . Example: MyVM1 |
EXTREME_VM_VPP_NAME | 214 | String | Access-Accept | Specifies the VPP to which the VM is to be mapped. Example: nvpp1 |
EXTREME_VM_IP_ADDR | 215 | String | Access-Accept | Specifies the IP address of the VM . Example: 11.1.1.254 |
EXTREME_VM_CTag | 216 | Integer | Access-Accept | Specifies the ID or tag of the destination VLAN for the VM . Example: 101 |
EXTREME_VM_VR_Name | 217 | String | Access-Accept | Specifies the VR in which the destination VLAN is to be placed. Example : UserVR1 |
The examples in the following sections are formatted for use in the FreeRADIUS users file. If you use another RADIUS server, the format might be different.

Note
For information on how to use and configure your RADIUS server, refer to the documentation that came with your RADIUS server.
For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
VSA 201: Extreme-CLI-Authorization
This attribute specifies whether command authorization is to be enabled or disabled for the user on the ExtremeXOS switch.
If command authorization is disabled, the user has full access to all CLI commands. If command authorization is enabled, each command the user enters is accepted or rejected based on the contents of the profiles file on the RADIUS server.
When added to the RADIUS users file, the following example enables command authorization for the associated user:
Extreme: Extreme-CLI-Authorization = enabled
When added to the RADIUS users file, the following example disables command authorization for the associated user:
Extreme: Extreme-CLI-Authorization = disabled
VSA 203: Extreme-Netlogin-VLAN-Name
This attribute specifies a destination VLAN name that the RADIUS server sends to the switch after successful authentication.
The VLAN must already exist on the switch. When the switch receives the VSA, it adds the authenticated user to the VLAN.
- For untagged VLAN movement with 802.1X netlogin, you can use all current Extreme Networks VLAN VSAs: VSA 203, VSA 209, and VSA 211.
- To specify the VLAN name, use an ASCII string.
- When using this VSA, do not specify whether the VLAN is tagged or untagged.
- Extreme-Netlogin-Extended-VLAN (VSA 211)
- Extreme-Netlogin-VLAN-Name (VSA 203)
- Extreme-Netlogin-VLAN-ID (VSA 209)
- Tunnel-Private-Group-ID, but only if Tunnel-Type == VLAN(13) and Tunnel-Medium-Type == 802 (6) (see Standard RADIUS Attributes Used by Extreme Switches)
If none of the previously described attributes are present ISP mode is assumed, and the client remains in the configured VLAN.
When added to the RADIUS users file, the following example specifies the destination VLAN name, purple, for the associated user:
Extreme: Extreme-Netlogin-VLAN-Name = purple
VSA 204: Extreme-Netlogin-URL
The Extreme-NetLogin-Url attribute specifies a web page URL that the RADIUS server sends to the switch after successful authentication. When the switch receives the attribute in response to a web-based network login, the switch redirects the web client to display the specified web page. If a login method other than web-based is used, the switch ignores this attribute.
- To specify the URL to display after authentication, use an ASCII string.
- If you do not specify a URL, the network login infrastructure uses the default redirect page URL, , or the URL that you configured using the configure netlogin redirect-page command.
- VSA 204 applies only to the web-based authentication mode of Network Login.
The following example specifies the redirection URL to use after successful authentication.
To configure the redirect URL as http://www.myhomepage.com, add the following line:
Extreme: Netlogin-URL = http://www.myhomepage.com
VSA 205: Extreme-Netlogin-URL-Desc
The Extreme-NetLogin-Url-Desc attribute provides a redirection description that the RADIUS s